Malicious PDF — malware analysis report

Static analysis result for SHA-256 0418b4609f958a98…

MALICIOUS

PDF

47.1 KB Authoring application: pdf-parser
MD5: 41e64a0dbac043fa3bfa47dae2a07dcb SHA-1: e183f2d8e63cdfd3bd0089c1c72cb9e930f40829 SHA-256: 0418b4609f958a98d76b4adb59b6203a089954234a13d3b3ae01b151b6806277
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. While the document body contains seemingly benign text about detox smoothies, the primary function appears to be the distribution of these numerous links. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vanstonesucks.com/uploads/1/3/0/4/130436050/8171911.pdf
    • http://ebenezerumc.com/uploads/1/3/0/6/130639309/e6c1a1564f.pdf
    • http://matio3d.com/uploads/1/3/0/5/130544078/e4dc12661a22878.pdf
    • http://mylibruldad.com/uploads/1/3/0/7/130740387/xuzijev-kupisetilanab-vinulabiwisog-pogafopek.pdf
    • http://mektephan.net/uploads/1/3/0/7/130740627/tilafutegokodikopiv.pdf
    • http://clubheros.org/uploads/1/3/0/7/130740169/3244417250f.pdf
    • http://drkontry.net/uploads/1/3/0/6/130639569/xamalem_madipi_relopunegowo_luxizuzig.pdf
    • http://alanpliuart.com/uploads/1/3/0/3/130323520/08fee8b2.pdf
    • http://rptservices.org/uploads/1/3/0/2/130289681/ca03d62ba.pdf
    • http://fubesac.store/uploads/1/3/0/4/130488811/birapewotofuji-fivebotuv.pdf
    • http://northcotswolds.com/uploads/1/3/0/5/130590208/735277.pdf
    • http://tewksburyhistoricalsociety.site/uploads/1/3/0/5/130546118/luxuke.pdf
    • http://robotvietnam.net/uploads/1/3/0/6/130640136/romawi.pdf
    • http://olqm.us/uploads/1/3/0/3/130323511/7a6d886.pdf
    • http://bejustalittlebetter.com/uploads/1/3/0/2/130288431/130288431.html#detox+smoothie+recipe+for+weight+loss
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000448b.bin
48d51f9a8bcbb569c9341ffcdb419faaf88a6e14d319ef3eace6595145069202		 pdf-font-stream PDF embedded font (sfnt) at offset 0x448B 16304 bytes
font_01_sfnt_off00005d19.bin
460031a6d1ddbab7e3c1ccbb289e32299c9f4374dcebf6d8421cc578a3e44908		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D19 8564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.